|
Mr Crucial posted:I have a really annoying piece of malware that I'm struggling to get rid of. Try the new hotness! http://www.herdprotect.com/
|
# ? Jun 2, 2014 18:31 |
|
|
# ? May 30, 2024 16:53 |
|
Mistayke posted:Try the new hotness! The number of false positives from this approach should be amusing.
|
# ? Jun 2, 2014 19:54 |
|
It actually worked really well in the instances I've used it in. It's not perfect, but it's still being developed.
|
# ? Jun 2, 2014 19:54 |
|
Take it's detections with a pinch of salt, and it's lack of any with another. It is perhaps licensing old engines, or old definitions to do it's scans, because users on various forums suggest it misses the majority of threats that any of it's 68 AV engines can individually spot. It deserves negative credibility alone for saying "the cloud" 15 times per paragraph, whilst never mentioning what it actually does. If you like the idea of a second-opinion on-demand scanner, it already exists in the form of the VirusTotal uploader (single files only, mind). It looks interesting, but I suspect the reason it obfuscates how the detections are done is because it's doing something like using the VirusTotal API, and then tagging on a bunch of very sub-par scanners to bulk up the number. Fake edit: whilst writing this, my test-scan with it has detected part of MBAM as a threat.
|
# ? Jun 5, 2014 02:03 |
|
Bear with me, because I'm not sure which way this BS is going: A lawyer I've done some IT work for in the past called me up today asking how his Win7 computer could have reverted back the May 2012. We talked back and forth, and I had him check some things for me, as he also can't get on the internet for some reason. He's sure about the date, as his most recent email in Outlook is from May 2012, his desktop image has been different for a long time but now it's what it would have been back then, etc. Looking into System Restore, he has two restore points, May 2012 and today at ~5:00 AM Central. Looking through the event viewer, under security, there are several suspicious entries just before 3:30 AM (which is significant because that's the most recent boot time as well: code:
Sadly, the only firewall is an SMC Comcast business gateway, so of course no real logging is to be had on the WAN link. I have no idea whether my buddy had this guy's password, I certainly never needed to have it, and in all the time he worked there and I worked for them I never got the feeling the lawyer trusted his 'paralegal' with his password. I'm asking here because I hope he simply got phished or hacked, or has some awful remote execution malware, rather than it being somehow related to my buddy. Secondly, I really don't feel like being accused of anything, and I can't really be sure of anything at this point. I instructed him to make a backup onto a new external HD and then shut it down, and told him I'd call later today, but I have no idea where to begin, I don't really do side IT work anymore, it's just too drat difficult to juggle an 8-5 plus help customers who also keep the same schedule.
|
# ? Jun 11, 2014 20:04 |
|
System restore should not have had any affect on his email files. Intriguing... EDIT I'm not accusing your friend of anything, but the more I think about it it looks like the emails were manually deleted and perhaps the system restore to that same time period was a clumsy attempt to cover tracks or obfuscate the cause. 3 am is the default time for windows updates to run...perhaps one failed spectacularly after rebooting at 3:30... What is description of the 5 am today restore point? Maybe lawyer deleted email himself and is trying to cover it by faking getting hacked? I want to get in that machine and look around so bad. Billy the Mountain fucked around with this message at 07:17 on Jun 12, 2014 |
# ? Jun 12, 2014 07:04 |
|
Oddhair posted:Bear with me, because I'm not sure which way this BS is going: I do lots of work with lawyers, and my wife is one. Make sure you're keeping track of your time and billing him for even the back and forth - it's SOP in lawyerville, and should be with your time as well. They can afford it, certainly. That said, I wouldn't interject yourself in this any more than you have to. Don't make promises you can't keep - IE, I can get all your files back, or definitively say what caused this problem. Just offer solutions going forward, and do your best for past recovery - it's all you can do, you're not superman. your buddy telling you not to do work for lawyerdude sounds unreasonably suspicious. that only reconfirms my advice - don't get involved. Or, if you do, hedge your promises - it's not worth the money or stress.
|
# ? Jun 12, 2014 08:43 |
|
Oddhair posted:
This is a normal event log for a scenario where admin privileges are needed to enact a change, or logs on, this will occur all over the logs. NTLMSSP is still in Win7 but will only be used for making outbound remote logins to older systems, iirc, so this is unlikely to be a clue either. Some rootkits and worms mess around with network logins and might be triggering that (i.e. Conficker) but that doesn't revert your system restore - and I can't think of any motivation for malware to do that. I would walk away from this one, it seems he has used system restore to either cover tracks, or to try to fix a problem and is now panicing because he ignored the date. e: quote:Off the top of my head, I couldn't log into someone else' machine and run system restore, then remove all restore points but one (well, not without lots of research), and I'm significantly more technical than he is. Khablam fucked around with this message at 10:54 on Jun 12, 2014 |
# ? Jun 12, 2014 10:52 |
|
Khablam posted:Actually this would be pretty easy in a scenario where the ex-employee still has access to some installed remote desktop software, VNC or the like. This was one of the odd red herrings, Logmein was there, along with lots of other folders he'd cleared out years ago. The thing that didn't stand out was that it was booting into Windows Vista instead of Win7. Still not sure what happened, but his old Vista machine's hard drive had been pulled out and added to his new desktop when it was purchased, and then never removed. Somehow the boot order got swapped in the BIOS (or maybe the other lawyer was ham-fistedly messing with lawyer #1's tower when he experienced some difficulty with his email the night before and reversed the cables) so it booted off the Vista hard drive. One BIOS change later it booted fine into Win7. Thanks for your responses, I'm glad it turned out to be nothing serious, because over the phone it was really suspicious sounding.
|
# ? Jun 12, 2014 14:13 |
|
What is currently the best way to remove cryptolocker an its variants? Eset Nod 32,Malware bytes, super anti spyware, and even combo fix aint hacking it this time.
|
# ? Jul 9, 2014 21:10 |
|
Billy the Mountain posted:What is currently the best way to remove cryptolocker an its variants? Eset Nod 32,Malware bytes, super anti spyware, and even combo fix aint hacking it this time. Cryptolocker doesn't really embed itself much. You can boot into safe mode command prompt and delete the files. However it wont get your stuff back. You gotta pay the man to get your stuff back.
|
# ? Jul 9, 2014 21:24 |
|
Don Lapre posted:However it wont get your stuff back. You gotta restore from your backup that you take regularly to get your stuff back. FTFY.
|
# ? Jul 10, 2014 09:25 |
|
Windows defender offline does fuckall for rovnix. Kaspersky rescue disk cleaned it out, then just needed to use bootrec off a windows repair disk because it jacked up the boot record.
|
# ? Jul 10, 2014 18:12 |
|
Well, some researchers uncovered a pretty easily exploited (and in hindsight, very obvious) weakness in thumb drive firmware. So be prepared for even more restrictions on USB drives (and devices in general).
|
# ? Jul 31, 2014 16:29 |
|
psydude posted:Well, some researchers uncovered a pretty easily exploited (and in hindsight, very obvious) weakness in thumb drive firmware. So be prepared for even more restrictions on USB drives (and devices in general). Does Bluetooth have a physical connection protocol? Should it? Should the USB spec just be re-written? I don't have anywhere near enough domain knowledge to venture an opinion, but am curious what others think.
|
# ? Jul 31, 2014 18:53 |
|
psydude posted:Well, some researchers uncovered a pretty easily exploited (and in hindsight, very obvious) weakness in thumb drive firmware. So be prepared for even more restrictions on USB drives (and devices in general). Fuckkkkkkkk. I guess we're going to see a resurge in CD and/or floppy media!
|
# ? Jul 31, 2014 19:04 |
|
psydude posted:Well, some researchers uncovered a pretty easily exploited (and in hindsight, very obvious) weakness in thumb drive firmware. So be prepared for even more restrictions on USB drives (and devices in general). We are all hosed! Time for USB driver firmware signing. Actually why is the firmware in USB even writable? Shouldn't it be read only to prevent this kind of thing? There are a few solutions, but this is going to require a ton of effort and likely a port revision to really fix. We can probably keep the same size, but once this is in the wild things are going to get bad fast for anyone that uses a thumbdrive to fix computers, or to store anything IT related. I plug my thumb drive into dozens of computers every day. It's going to be easy enough to secure my personal computer as long as I never plug a mouse from work into it. But an exploit of this scale is going to leave legacy devices that are infected, Monitor's USB HUBS, mice, keyboards. What are you going to do with them? They are very likely going to sit around in storage and get back into the wild, every legacy USB device is going to be infected in every workplace forever if this actually hits the wild.
|
# ? Jul 31, 2014 19:11 |
|
pixaal posted:Actually why is the firmware in USB even writable? Because it doesn't save any money to do it another way? Really, the same reason there's a full system on there to actively ahndle defects and presenting a unified storage space to the host OS rather than always going for the highest quality chips and a less robust firmware onboard.
|
# ? Jul 31, 2014 19:25 |
|
Wouldn't this mean that the malware would have to rewrite the firmware onboard, so that it will not only work as expected, but to also execute its payload? I suspect that not *all* USB devices will be exploited, just because they would have to tailor each exploit to that firmware and I'm sure some of the devices' firmware will be too drat small. Nintendo Kid posted:Because it doesn't save any money to do it another way? Really, the same reason there's a full system on there to actively ahndle defects and presenting a unified storage space to the host OS rather than always going for the highest quality chips and a less robust firmware onboard. Free Market!
|
# ? Jul 31, 2014 20:17 |
|
To follow this up, FireEye (formerly known as Mandiant) has released a white paper detailing the failure of defense in depth security architectures at preventing attacks in the real world. One of the bigger threats comes from bespoke executables designed specifically for the targeted organization, system, or application.
|
# ? Aug 1, 2014 15:39 |
|
Let's all use SD cards! https://www.youtube.com/watch?v=Tj-zI8Tl218
|
# ? Aug 1, 2014 19:16 |
|
Am I right in thinking you can just disable automatic driver installation to prevent this?
|
# ? Aug 1, 2014 20:01 |
|
Ireland Sucks posted:Am I right in thinking you can just disable automatic driver installation to prevent this? No. The "bad code" runs on the USB/SD/whatever microcontroller, not your PC. What that code can do is another matter, but you can imagine it altering flash contents, copying stuff to a hidden storage, replacing files on the stick etc.
|
# ? Aug 1, 2014 20:09 |
ADWcleaner is rapidly becoming my go-to choice for a first run on infected machines, especially ones that do stuff like proxy/DNS redirection. It's a self-contained .exe so it can run directly off of a flash drive, it's fast, it's efficient, and it doesn't just remove the garbage but it also cleans up all the little hooks they love putting in so you don't have to do manual cleanup. I love it. Probably the only downside it has is that as soon as you confirm that it can clean off all the junk it found, it force-restarts immediately after it finishes.
|
|
# ? Aug 1, 2014 23:01 |
|
Ireland Sucks posted:Am I right in thinking you can just disable automatic driver installation to prevent this? What happens is that the device imitate a 'common' USB device whose drivers are built in. Even if you blocked drivers, the HID drivers for a keyboard are probably already loaded and running, and if the USB device mimics that to type keystrokes, then nothing has been accomplished. USB drivers for a bunch of stuff (keyboards, mice, webcams, network ports, etc) are built into most operating systems. USB is far too trusting, and a 'signed' USB standard that has each device distinct and can be centrally managed (ie: usb device plug in checks device cert and id against master DB of approved devices before anything happens) is probably something that should have been included in the spec from the start.
|
# ? Aug 1, 2014 23:17 |
|
I've been wary about any USB port that isn't my own for years now. Is it possible, at the hardware level, to create a "USB condom" so you only get a charge and nothing else?
|
# ? Aug 1, 2014 23:58 |
|
hackedaccount posted:I've been wary about any USB port that isn't my own for years now. http://int3.cc/products/usbcondoms
|
# ? Aug 2, 2014 00:00 |
|
hackedaccount posted:I've been wary about any USB port that isn't my own for years now. Charge-only cables exist, and iirc they only have connectors for the pins that carry the power, and none of the others.
|
# ? Aug 2, 2014 02:26 |
|
Captain Novolin posted:Charge-only cables exist, and iirc they only have connectors for the pins that carry the power, and none of the others. Note that for most devices this will prevent them from getting more than 100 milliamps of power off a USB port (due to negotiating for more power being made impossible).
|
# ? Aug 2, 2014 02:29 |
|
President Ark posted:ADWcleaner is rapidly becoming my go-to choice for a first run on infected machines, especially ones that do stuff like proxy/DNS redirection. It's a self-contained .exe so it can run directly off of a flash drive, it's fast, it's efficient, and it doesn't just remove the garbage but it also cleans up all the little hooks they love putting in so you don't have to do manual cleanup. I love it. At work we had an issue with adwcleaner on a Windows 8 PC. We think it deleted something it should not have and the OS poo poo itself. Had to send someone out to onsite the thing and do an OSRI. No more adwcleaner on Windows 8 machines after that.
|
# ? Aug 2, 2014 11:19 |
|
President Ark posted:ADWcleaner is rapidly becoming my go-to choice for a first run on infected machines, especially ones that do stuff like proxy/DNS redirection. It's a self-contained .exe so it can run directly off of a flash drive, it's fast, it's efficient, and it doesn't just remove the garbage but it also cleans up all the little hooks they love putting in so you don't have to do manual cleanup. I love it. I feel like I post this every few pages, but my SOP for a random machine displaying X behaviour is disable/uninstall all A/V -> rkill -> TDSSfixers -> combofix -> MWBAM -> adwcleaner -> ensure current realtime A/V is present. anyone feel they have a better method?
|
# ? Aug 3, 2014 09:34 |
|
mindphlux posted:anyone feel they have a better method? Nuke it from orbit and restore from a backup of the data?
|
# ? Aug 3, 2014 13:45 |
|
KennyTheFish posted:Nuke it from orbit and restore from a backup of the data? Thats not really a better method
|
# ? Aug 3, 2014 16:54 |
|
go3 posted:Thats not really a better method If something like that isn't working and it's still behaving erratically, it kind of is. The alternative is spending hours to days manually removing crap and finding you still haven't dug it all out. In terms of a time sense, flattening it and reinstalling is sometimes the best way.
|
# ? Aug 3, 2014 16:57 |
|
I usually Wipe temporary files for all users and then run MBAM followed by combofix, both in safe mode if theres still something left after that I format and reinstall and start again after taking the clients Documents/downloads/music/pictures folders (because as we all know, no one ever makes a loving backup)
|
# ? Aug 3, 2014 23:55 |
|
Running combofix on a machine you know/suspect has no backup, is a really bad idea. It's a very blunt instrument and 'but I had no problems before!' means poo poo all when it manages to trash a SAM file and leave loads of files permanently encrypted, otherwise trashes user profiles, or any of a long list of common bugs. It isn't a malware remover; it's a tool which digs around deep in system configurations to adjust and revert low-level paramaters. You should only run it as a last resort, it's not in any way designed to be some catch-all malware remover, that's what Adwcleaner is for.
|
# ? Aug 4, 2014 00:34 |
|
This is my usual run through to clean a computer up. Basic malware/unwanted programs: Run rkill. If it finds anything serious, which it will tell you if something is up usually, we'll move on to the more serious steps. Otherwise, continue with steps below. Run Toolbar Cleaner. Remove unwanted toolbars and startup items. Do program audit and remove unwanted things like Ask, Conduit, etc. Got something stubborn or broken to uninstall? Use Revo Uninstaller. Not sure what to uninstall? Should I Remove It is a good place to look stuff up. It isn't the be all end all, but very useful. Run Junkware Removal Tool. Similar to adwcleaner, removes registry entries, folders, etc. for junk programs. Run CCleaner Portable. Cleans up the temp files, cached web pages, etc. I've had people with 10gb+ of temp files. Run Ninite. Update all runtimes and help keep things secure. Run Malwarebytes Anti-Malware. Once it is done scanning remove objects it finds and restart. Run adwcleaner. Useful tool since it can remove services, scheduled tasks, leftover folders from uninstalled programs, registry entries, checks browser extensions too. Program is updated often. Requires a system restart to remove everything it finds. The computer should be good now. Make sure Antivirus is functioning and updated. Check browsers for remnants in search engines and extensions. Remove unwanted things. Check Windows startup, services and task scheduler for remnants. If you find something iffy in rkill you can skip the above and go directly to: Reboot to safe mode. Run rkill. Run tdsskiller. Pros: Quick to run and finds common rootkits. Cons: Not updated very often and doesn't find a whole lot. Run Malwarebytes Anti-Rootkit. Updated more often than tdsskiller but takes longer to run. Finds a good amount of stuff. Run Rogue Killer. This is a goodie. Can stop processes it finds, fix hosts file, fix proxy stuff, remove registry entries. Still think it is infected? Run Emsisoft Emergency Kit. Free and updated often. Has option to scan every single file on the computer. Can take hours to run, but it is thorough. Still messed up? It depends on what you find but the following can help. Try a new user profile. User profiles break all the freaking time. Make a new one and test the issue out in it. Does it work there? Good. Move their files over and figure out what programs and settings need to be setup again. Try sfc /scannow. Open an elevated command prompt and run the sfc /scannow command. It will check system files for consistency and hopefully repair the issue if it finds one. Can take multiple run throughs for it to actually repair anything. If it repairs something, restart computer and see if issue is fixed. Try Tweaking AIO. Tweaking takes awhile to run but it can repair a number of issues caused by infections like file ownership, windows updates not working, services not starting, hidden icons. Useful tool with too many repairs/fixes to list. Still fubar? OSRI and clean or wipe out the mbr if you think it has a rootkit. Hopefully this will help someone out. Let me know if you have a better method, I'm always looking for newer and better ways of doing things.
|
# ? Aug 4, 2014 03:55 |
|
Khablam posted:Running combofix on a machine you know/suspect has no backup, is a really bad idea. It's a very blunt instrument and 'but I had no problems before!' means poo poo all when it manages to trash a SAM file and leave loads of files permanently encrypted, otherwise trashes user profiles, or any of a long list of common bugs. I definitely make a system restore point manually before doing anything on the machine, and discuss lack of backup with the machine owner / client point of contact. That said, I've only had one out of several hundred times of running combofix give me a shitstorm - and I could still grab data off the harddrive to back up, then reformat and recover. I feel like combofix is much less of a blunt instrument than any other malware program - in fact, I feel like it's more like a surgical knife. I can run MWBAM/ADWcleaner/whatever all day, and have recurring problems - but if I run combofix, I'm left with a harddrive with several hundreds megs less of ????, a bunch of quarantined files, and nearly always a working system. It may cut out too much, in which case you have to stitch some wounds up manually, but it's not just hammering away at the issue uselessly. I rkill and run it as my first resort - MWBAM/Adwcleaner are my backup scans to make sure combofix got everything. I don't feel like I'm being daft here either, the program has saved me so many hours of toiling away spinning my wheels running program after program... I really wish they would explain a bit more publicly about its inner workings, but... am I just being an idiot here or what? mindphlux fucked around with this message at 05:11 on Aug 6, 2014 |
# ? Aug 6, 2014 05:08 |
|
Don Lapre posted:Cryptolocker doesn't really embed itself much. You can boot into safe mode command prompt and delete the files. Not now! http://www.bbc.co.uk/news/technology-28661463 quote:All 500,000 victims of Cryptolocker can now recover files encrypted by the malware without paying a ransom.
|
# ? Aug 6, 2014 11:36 |
|
|
# ? May 30, 2024 16:53 |
|
Sounds like it only helps people that already were infected, unless it picks from a limited list of keys instead of generating a fresh one every time. If there is a limited pool all it takes is an updated version with a new pool and things are right back to square one. Don't think someone else isn't going to try this.
|
# ? Aug 6, 2014 14:19 |